cbcvebase.
CVE-2011-4130
published 2011-12-06

CVE-2011-4130: Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary code via vectors involving an…

PriorityP268critical9CVSS 2.0
AVNACLAuSCCICAC
ITWVulnCheck KEV
Exploited in the wild
EPSS
12.80%
95.8th percentile
Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary code via vectors involving an error that occurs after an FTP data transfer.

Affected

17 ranges
VendorProductVersion rangeFixed in
debianproftpd-dfsg< proftpd-dfsg 1.3.4~rc3-2 (bookworm)proftpd-dfsg 1.3.4~rc3-2 (bookworm)
proftpdproftpd<= 1.3.3
proftpdproftpd
proftpdproftpd
proftpdproftpd
proftpdproftpd
proftpdproftpd
proftpdproftpd
proftpdproftpd
proftpdproftpd
proftpdproftpd
proftpdproftpd
proftpdproftpd
proftpdproftpd
proftpdproftpd
proftpdproftpd
proftpdproftpd

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is exploitable only by remote authenticated users — monitor for authenticated FTP sessions followed by unexpected error conditions during or after data transfers, which may indicate exploitation attempts of the Response API use-after-free.
  • The flaw is triggered when a new FTP command arrives while a data transfer is in progress, causing the server to retrieve the response pool for the old command — look for anomalous command sequencing (e.g., commands interleaved with active data transfers) in FTP server logs.
  • Exploitation results in memory corruption and potential arbitrary code execution with the privileges of the proftpd process — alert on unexpected crashes or process anomalies in proftpd daemons running versions prior to 1.3.3g.
  • ·Only ProFTPD versions before 1.3.3g are vulnerable; versions 1.3.3g and later (including 1.3.4+) contain the fix. Verify the deployed ProFTPD version to confirm exposure.
  • ·Exploitation requires prior authentication — unauthenticated or anonymous-only FTP deployments have a reduced (but not necessarily zero) attack surface depending on configuration.

CVSS provenance

nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv9.0CRITICAL
vulncheck9.0CRITICAL
vendor_debian9.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.